Software forensics for embedded systems developers

Robert Zeidman

August 14, 2011

Robert ZeidmanAugust 14, 2011

In this chapter from his book "The Software IP Detective's Handbook," Bob Zeidman describes some of the concepts behind the new field of software forensics, and how they can be used to safeguard the unique and proprietary Intellectual Property incorporated into your design. 

The word forensic comes from the Latin word forensis meaning “of or before the forum.” In ancient Rome, an accused criminal and the accusing victim would present their cases before a group in a public forum. In this very general sense  it was not unlike the modern U.S. legal system where plaintiffs and defendants present their cases in a public forum. Of course, the rules and procedures of the presentation, of which there are very many, differ from those days. Also, whether in a civil trial or a criminal trial, all parties can be represented by lawyers trained in the intricacies of these rules and procedures.

At these ancient Roman forums, both parties would present their cases to the forum and one party would be declared a winner. The party with the better presentation skills, regardless of innocence or guilt, would often prevail.

The modern system relies on the fact that attorneys representing the parties make the arguments rather than the parties themselves. The entire system relies on the assumption that lawyers, trained in law and skilled at presenting complex information, will present both parties’ cases in the best possible manner and that ultimately a just outcome will occur. I don’t want to say that the truth will prevail, not only because that’s a cliché but because there is often some amount of truth in the arguments of both parties. Rather, more often than not, justice will be served.

This model works very well—not perfectly, but very well. With regard to highly technical cases, however, the percentage of cases where justice is served is lower because the issues are difficult for judges and juries to grasp. Technical experts can throw around highly technical terms, sometimes without realizing it and other times to purposely confuse a judge or jury. This is why two things are required to improve the analysis of software for the legal system:

  1. Create a standard method of quantizing software comparisons.
  2. Create a standard methodology for using this quantization to reach a conclusion that is usable in a court of law.

These two things are embodied in what is called “software forensics.” Before we arrive at a working definition, let us look at the definitions of related terms: “forensic science,” “forensic engineering,” and “digital forensics.”

The Need for Software Forensics
Some years ago, when I had just begun developing the metrics described in The Software Detective's Handbook,  - as well as the software to calculate the metrics, and the methodology to reach a conclusion based on the metrics - I was contacted by a party in a software copyright dispute in Europe.

A software company had been accused of copying source code from another company. The software implemented real-time trading of financial derivatives. A group of software engineers had left one company to work for the other company; that’s the most common circumstance under which software is stolen or alleged to have been stolen.

The plaintiff hired a well-known computer science professor from the Royal Institute of Technology, Stockholm, Sweden, to compare the source code. This respected professor, who had taught computer science for many years, reviewed both sets of source code and wrote his report.

His conclusion could be boiled down to this: “I have spent 20 years in the field of computer science and have reviewed many lines of source code. In my experience, I have not seen many examples of code written in this way. Thus it is my opinion that any similarities in the code are due to the fact that code was copied from one program to another.”

Unfortunately for the plaintiff, the defendant responded by hiring another well-known computer science professor. This person was the head of the computer science department at the very same Royal Institute of Technology, the first professor’s boss.

This professor compared the source code from the two parties, and essentially her conclusion was this:"I have spent 20 years in the field of computer science and have reviewed many lines of source code. In my experience, I have seen many examples of code written in this way. Thus it is my opinion that any similarities in the code are due to the fact that these are simply common ways of writing code.”

The defendant did some research and came across my papers and my CodeSuite software . The defendant hired me, and I ran a CodeMatch comparison and then followed my standard procedure. CodeMatch revealed a fairly high correlation between the source code of the two programs.

However, there were no common comments or strings, there were no common instruction sequences, and when I filtered out common statements and identifier names I was left with only a single identifier name that correlated. Because the identifier name combined standard terms in the industry, and both programs were written by the same programmers, I concluded that no copying had actually occurred.

After writing my expert report, what struck me was how much a truly standardized, quantified, scientific method was needed in this area of software forensics, and I made it my goal to bring as much credibility to this field as there is in the field of DNA analysis, another very complex process that is well defined and accepted in modern courts.

Forensic Science
According to the Merriam-Webster Online Dictionary, science is defined as “knowledge or a system of knowledge covering general truths or the operation of general laws especially as obtained and tested through scientific method.” Forensic science is the application of scientific methods for the purpose of drawing conclusions in court (criminal or civil). The first written account of using this kind of study and analysis to solve criminal cases is given in the book entitled Collected Cases of Injustice Rectified, written by Song Ci during the Song Dynasty of China in 1248. In one case, when a person was found murdered in a small town, Song Ci examined the wound of the corpse. By testing different kinds of knives on animal carcasses and comparing the wounds to that of the murder victim, he found that the wound appeared to have been caused by a sickle. Song Ci had everyone in town bring their sickles to the town center for examination. One of the sickles began attracting flies because of the blood on it, and the sickle’s owner confessed to the murder.

This groundbreaking book discussed other forensic science techniques, including the fact that water in the lungs is a sign of drowning and broken cartilage in the neck is a sign of strangulation. Song Ci discussed how to examine corpses to determine whether death was caused by murder, suicide, or simply an accident.

In modern times, the best-known methods of forensic science include finger-print analysis and DNA analysis. Many other scientific techniques are used to investigate murder cases—to determine time of death, method of death, instrument of death—as well as other less criminal acts. Some other uses of forensic science include determining forgery of contracts and other documents, exonerating convicted criminals through ex post facto examination of evidence that was not considered at trial, and determining the origins of paintings or authorship of contested documents.

Forensic Engineering
Forensic engineering is the investigation of things to determine their cause of failure for presentation in a court of law. Forensic engineering is often used in product liability cases when a product has failed, causing injury to a person or a group of people. A forensic engineering investigation often involves examination and testing of the actual product that failed or another copy of that product.

The examination involves applying various stresses to the product and taking detailed measurements to determine its failure point and mode of failure. For example, a plate of glass at a very high temperature, when hit by a small stone, might chip, shatter, or crack in half. This kind of examination would be useful for understanding how a car or airplane windshield failed. The investigation might start out to replicate the situation that led to the failure in order to understand what factors might have combined to cause it.

Forensic engineering also encompasses reverse engineering, the process of understanding details about how a device works. Thus forensic engineering is critical for patent cases and many trade secret cases.

Two of the most famous cases of forensic engineering involved the Challenger and Columbia space shuttle disasters. On January 28, 1986, the space shuttle Challenger exploded on takeoff, killing its crew. President Ronald Reagan formed the Rogers Commission to investigate the tragedy. A six-month investigation concluded that the O-rings—rubber rings that are used to seal pipes and are used in everyday appliances like household water faucets—had failed.

The O-rings were designed to create a seal in the shuttle’s solid rocket boosters to prevent superheated gas from escaping and damaging the shuttle. Theoretical physicist Richard Feynman famously demonstrated on television how O-rings lose their flexibility in cold temperatures by placing rubber O-rings in a glass of cold water and then stretching them, thus simplifying a complex concept for the public. Further investigation revealed that engineers at Morton Thiokol, Inc., where the O-ring was developed and manufactured, knew of the design flaw and had informed NASA that the low temperature on the day of the launch created a serious danger. They recommended that the launch be postponed, but NASA administrators pressured them into withdrawing their objection.

On February 1, 2003, the space shuttle Columbia disintegrated over Texas during reentry into the Earth’s atmosphere. All seven crew members died. Debris from the accident was scattered over sparsely populated regions from southeast of Dallas, Texas, to western Louisiana and southwestern Arkansas. NASA conducted the largest ground search ever organized to collect the debris, including human remains, for its investigation. The Columbia Accident Investigation Board, or CAIB, consisting of military and civilian experts in various technologies, was formed to conduct the forensic examination.

Figure 9.1 Challenger space shuttle: the crew and physicist Richard Feynman demonstrating the breakdown of the O-ring that was determined to be the cause


Amazingly enough, Columbia’s flight data recorder was recovered in the search. Columbia had a special flight data OEX (Orbiter Experiments) recorder, designed to record and measure vehicle performance during flight. It recorded hundreds of different parameters and contained extensive logs of structural and other data that allowed the CAIB to reconstruct many of the events during the last moments of the flight. The investigators could track the sequence in which the sensors failed, based on the loss of signals from the sensors, to learn how the damage progressed.

Six months of investigation led to the conclusion that a piece of foam that covered the fuel tank broke off during launch and put a hole in the leading edge of the left wing, breaching the reinforced carbon-carbon (RCC) thermal protec-tion system that protected the shuttle from the extreme heat (2,700°C or 5,000°F) during reentry.

Figure 9.2Columbia space shuttle: the crew and a scene during reentry from the recovered on-board shuttle video

< Previous
Page 1 of 2
Next >

Loading comments...